UpdateValidator: Allow updating of your own objects.

2024-06-01 00:18:07 +00:00 · 2020-08-13 15:37:42 +02:00 · 2020-08-13 15:37:42 +02:00 · 57ab698707
parent 2bc2b321b6
commit 57ab698707
2 changed files with 30 additions and 2 deletions
--- a/lib/pleroma/web/activity_pub/object_validators/update_validator.ex
+++ b/lib/pleroma/web/activity_pub/object_validators/update_validator.ex
@ -5,6 +5,7 @@
 defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do
  use Ecto.Schema

+  alias Pleroma.Object
  alias Pleroma.EctoType.ActivityPub.ObjectValidators

  import Ecto.Changeset
@ -42,13 +43,24 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do
    |> validate_data
  end

+  defp can_update?(actor_id, actor_id), do: true
+
+  @updateable ~w{Article Note Page}
+  defp can_update?(actor_id, object_id) do
+    with %Object{data: %{"actor" => ^actor_id, "type" => type}} when type in @updateable <-
+           Object.get_cached_by_ap_id(object_id) do
+      true
+    else
+      _ -> false
+    end
+  end
+
  # For now we only support updating users, and here the rule is easy:
-  # object id == actor id
  def validate_updating_rights(cng) do
    with actor = get_field(cng, :actor),
         object = get_field(cng, :object),
         {:ok, object_id} <- ObjectValidators.ObjectID.cast(object),
-         true <- actor == object_id do
+         true <- can_update?(actor, object_id) do
      cng
    else
      _e ->
--- a/test/web/activity_pub/object_validators/update_validation_test.exs
+++ b/test/web/activity_pub/object_validators/update_validation_test.exs
@ -5,8 +5,10 @@
 defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateHandlingTest do
  use Pleroma.DataCase

+  alias Pleroma.Object
  alias Pleroma.Web.ActivityPub.Builder
  alias Pleroma.Web.ActivityPub.ObjectValidator
+  alias Pleroma.Web.CommonAPI

  import Pleroma.Factory

@ -40,5 +42,19 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateHandlingTest do

      assert {:error, _cng} = ObjectValidator.validate(update, [])
    end
+
+    test "validates a user updating their own note", %{user: user} do
+      {:ok, activity} = CommonAPI.post(user, %{status: "I love cafe"})
+
+      object = Object.normalize(activity)
+
+      updated_object =
+        object.data
+        |> Map.put("content", "I love cofe")
+
+      {:ok, update, []} = Builder.update(user, updated_object)
+
+      assert {ok, _update, []} = ObjectValidator.validate(update, [])
+    end
  end
 end